As I allude right here, my extended-held impact is that no real anomaly-primarily based community IDS (NIDS) has at any time been prosperous commercially and/or operationally. There were some bits of achievements, to be guaranteed (“OMG WE CAN DETECT PORTSCANS!!!”), but in whole, they (IMHO) do not quite evaluate up to Results of the strategy.
In light-weight of this opinion, here is a enjoyable question: do you think the existing generation of machine learning certification (ML) – and “AI”-based (why is AI in quotes?) methods will function improved? Observe that I am aiming at a genuinely, actually small bar: will they work superior than – for every the higher than statement – not at all? But my definition of “work” incorporates “work in today’s messy and evolving serious existence networks.”
This is really a tougher concern than it seems. Of course, ML and “AI” aficionados (who, as I am hearing, are frequently saner compared to the blockchain certification types … these are more akin to clowns, truly) would claim that of course “now with ML, issues are fully different”, “since cyber AI” and “up coming upcoming upcoming era deep learning certification just will work.”
On the other hand, some of the rumors we are hearing mention that in noisy, flat, poorly managed networks anomaly detection devolves to … no, actually! … to signatures and set exercise thresholds exactly where humans create rules about what is poor and/or not very good.
Prior to we delve into this, let’s think about the which means of the phrase ANOMALY. In the past, “anomaly-based” was about silly TCP stack protocol anomalies and other “broken packets.” Nowadays it seems that the expression “anomaly” applies to mathematical anomalies in extended-phrase activity patterns – and not basically packets like in the 1990s.
So, will it work? This simply cannot actually be answered without the need of asking “work to detect what?”
Let us go through a several illustrations we are listening to about:
- C2/C&C relationship from malware to an Not known [for known, signatures and TI work well, no need to ML it] piece of attacker infrastructure – this was reported to do the job by some people, and it is not a extend to envision that anomaly detection can operate below, at minimum some of the time
- Connection to some destructive domain [UNKNOWN to be bad at detection time, see above] – DGA area detection is now baby’s to start with ML, so it does operate [with some “false positives”, but then again, this is a separate question]
- Inner recon this kind of as a port scan – it is effective, but then yet again, this is probably the only detail wherever the previous units also worked [but with false alarms too]
- Stolen data exfiltration by an attacker – we have read some noises that it may perhaps get the job done, but then all over again – we have read the exact about DLP. IMHO, the jury is continue to out on this one… Let us say I think anomaly detection may possibly detect some exfiltration some of the time with some volume of “false positives” and other “non-actionables”
- Lateral motion by the attacker – the very same as above, IMHO, the jury is however out on this 1 and how effective it can be in actual lifetime. I’d say we’ve listened to examples the place it worked, and some where it was too noisy to be helpful or failed outright.
Apart from that, I’ve appear some naïve tries to use supervised ML to coach systems to study fantastic/lousy targeted traffic in common. IMHO, this is a total misplaced lead to. It labored brilliantly for binaries (pioneered by “Vendor C”, for case in point), but IMHO this is 100% hopeless for normal community traffic.
At last, if the above detection gains do not materialize for you, we are back in the “dead packet storage” land (albeit with metadata, not packets).
Posts relevant to this study:
Classification: detection monitoring network network-forensics nta security